From d9b36adf9db6e55ce3c1c5daac171320822b286b Mon Sep 17 00:00:00 2001 From: luigi Date: Tue, 15 Jul 2003 23:08:44 +0000 Subject: Userland side of: Allow set 31 to be used for rules other than 65535. Set 31 is still special because rules belonging to it are not deleted by the "ipfw flush" command, but must be deleted explicitly with "ipfw delete set 31" or by individual rule numbers. This implement a flexible form of "persistent rules" which you might want to have available even after an "ipfw flush". Note that this change does not violate POLA, because you could not use set 31 in a ruleset before this change. Suggested by: Paul Richards --- sbin/ipfw/ipfw.8 | 18 +++++++++++++----- sbin/ipfw/ipfw2.c | 18 +++++++++--------- 2 files changed, 22 insertions(+), 14 deletions(-) (limited to 'sbin') diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 39dc69e..22dc548 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -124,7 +124,7 @@ An .Nm ruleset always includes a .Em default -rule (numbered 65535) which cannot be modified, +rule (numbered 65535) which cannot be modified or deleted, and matches all packets. The action associated with the .Em default @@ -171,7 +171,7 @@ Rules can be added with the .Cm add command; deleted individually or in groups with the .Cm delete -command, and globally with the +command, and globally (except those in set 31) with the .Cm flush command; displayed, optionally with the content of the counters, using the @@ -482,14 +482,22 @@ non-default value is used instead. .It Cm set Ar set_number Each rule is associated with a .Ar set_number -in the range 0..31, with the latter reserved for the -.Em default -rule. +in the range 0..31. Sets can be individually disabled and enabled, so this parameter is of fundamental importance for atomic ruleset manipulation. It can be also used to simplify deletion of groups of rules. If a rule is entered without specifying a set number, set 0 will be used. +.br +Set 31 is special in that it cannot be disabled, +and rules in set 31 are not deleted by the +.Nm ipfw flush +command (but you can delete them with the +.Nm ipfw delete set 31 +command). +Set 31 is also used for the +.Em default +rule. .It Cm prob Ar match_probability A match is only declared with the specified probability (floating point number between 0 and 1). diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 91761bc..57349e2 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -1561,13 +1561,13 @@ sets_handler(int ac, char *av[]) bcopy(&((struct ip_fw *)data)->next_rule, &set_disable, sizeof(set_disable)); - for (i = 0, msg = "disable" ; i < 31; i++) + for (i = 0, msg = "disable" ; i < RESVD_SET; i++) if ((set_disable & (1< 30) + if (!isdigit(*(av[0])) || rulenum > RESVD_SET) errx(EX_DATAERR, "invalid set number %s\n", av[0]); - if (!isdigit(*(av[1])) || new_set > 30) + if (!isdigit(*(av[1])) || new_set > RESVD_SET) errx(EX_DATAERR, "invalid set number %s\n", av[1]); masks[0] = (4 << 24) | (new_set << 16) | (rulenum); i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t)); @@ -1596,10 +1596,10 @@ sets_handler(int ac, char *av[]) errx(EX_USAGE, "syntax: set move [rule] X to Y\n"); rulenum = atoi(av[0]); new_set = atoi(av[2]); - if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > 30) || + if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > RESVD_SET) || (cmd == 2 && rulenum == 65535) ) errx(EX_DATAERR, "invalid source number %s\n", av[0]); - if (!isdigit(*(av[2])) || new_set > 30) + if (!isdigit(*(av[2])) || new_set > RESVD_SET) errx(EX_DATAERR, "invalid dest. set %s\n", av[1]); masks[0] = (cmd << 24) | (new_set << 16) | (rulenum); i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t)); @@ -1613,7 +1613,7 @@ sets_handler(int ac, char *av[]) while (ac) { if (isdigit(**av)) { i = atoi(*av); - if (i < 0 || i > 30) + if (i < 0 || i > RESVD_SET) errx(EX_DATAERR, "invalid set number %d\n", i); masks[which] |= (1< 1 && !strncmp(*av, "set", strlen(*av))) { int set = strtoul(av[1], NULL, 10); - if (set < 0 || set > 30) + if (set < 0 || set > RESVD_SET) errx(EX_DATAERR, "illegal set %s", av[1]); rule->set = set; av += 2; ac -= 2; -- cgit v1.1